RUSTSEC-2026-0119

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0119
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0119.json
JSON Data
https://api.test.osv.dev/v1/vulns/RUSTSEC-2026-0119
Aliases
Related
Published
2026-05-01T12:00:00Z
Modified
2026-05-07T08:56:41Z
Summary
CPU exhaustion during message encoding due to O(n²) name compression
Details

During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec<(usize, Vec<u8>)>. The name compression logic then searches for matches with a linear scan.

A malicious message with many records can both introduce many candidate labels, and invoke this linear scan many times. This can amplify CPU exhaustion in DoS attacks.

This is similar to CVE-2024-8508.

We recommend all affected users update to hickory-proto 0.26.1 for the fix.

Database specific 
{
    "license": "CC-BY-4.0"
}
References

Affected packages

crates.io / hickory-proto

Package

Name
hickory-proto
View open source insights on deps.dev
Purl
pkg:cargo/hickory-proto

Affected ranges

Type
SEMVER
Events
Introduced
0.3.1
Fixed
0.26.1

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "functions": [],
        "arch": [],
        "os": []
    }
}

Database specific

categories 
[
    "denial-of-service"
]
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0119.json"
cvss 
null
informational 
null